@voidzero-dev/vite-plus-test
The Unified Toolchain for the Web
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:obug | AI (dependencies): obug is a debugging utility; expected in a test framework package. No security concern. | ai | |
| dependencies | unvetted-dep:@types/chai | AI (dependencies): @types/chai is the standard TypeScript types for chai assertions; entirely expected in a test framework. | ai | |
| npm-metadata | no-description | AI (npm-metadata): VoidZero automated build package; missing description is a metadata gap, not a security signal given 260k downloads and 117 versions. | ai | |
| phantom-deps | phantom-dep:tinyexec | AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tinybench | AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type. | ai | |
| phantom-deps | phantom-dep:es-module-lexer | AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tinyglobby | AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): TypeScript type package used by framework consumers; phantom detection is a known false positive for this pattern. | ai | |
| phantom-deps | phantom-dep:pixelmatch | AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type. | ai | |
| bogus-package | bogus-package | AI (bogus-package): The spam-publisher signal fires on yyx990803 (Evan You, Vue/Vite creator) and vitebot (official Vite automation bot) — both are highly legitimate npm publishers. False positive for this package. | ai | |
| phantom-deps | phantom-dep:obug | AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 0.1.21 | 13 / 28 | |
| 0.1.20 | 13 / 28 | |
| 0.1.19 | 13 / 28 | |
| 0.1.18 | 13 / 28 | |
| 0.1.17 | 13 / 28 | |
| 0.1.16 | 13 / 28 | |
| 0.1.15 | 13 / 28 | |
| 0.1.14 | 13 / 28 | |
| 0.1.13 | 13 / 28 | |
| 0.1.12 | 13 / 28 | |
| 0.1.11 | 13 / 28 | |
| 0.1.10 | 13 / 28 | |
| 0.1.9 | 13 / 26 | |
| 0.1.8 | 13 / 26 | |
| 0.1.7 | 13 / 26 | |
| 0.1.6 | 13 / 26 | |
| 0.1.5 | 13 / 26 | |
| 0.1.4 | 13 / 26 | |
| 0.1.3 | 13 / 26 | |
| 0.1.2 | 13 / 26 | |
| 0.1.1 | 13 / 26 | |
| 0.1.0 | 13 / 26 |
v0.1.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.